How to Recover a Deleted File in Linux

Did this ever happen to you? You realized that you had mistakenly deleted a file – either through the Del key, or using rm in the command line.

In the first case, you can always go to the Trash, search for the file, and restore it to its original location. But what about the second case? As I am sure you probably know, the Linux command line does not send removed files anywhere – it REMOVES them. Bum. They’re gone.

Suggested Read: How to Recover Deleted Files/Directories Using Scalpel Tool

In this article we will share a tip that may be helpful to prevent this from happening to you, and a tool that you may consider using if at any point you are careless enough to do it anyway.

Create an alias to ‘rm -i’

The -i switch, when used with rm (and also other file-manipulation tools such as cp or mv) causes a prompt to appear before removing a file.

The same applies to copying, moving, or renaming a file in a location where one with the same name exists already.

This prompt gives you a second chance to consider if you actually want to remove the file – if you confirm the prompt, it will be gone. In that case, I’m sorry but this tip will not protect you from your own carelessness.

To replace rm with an alias to 'rm -i', do:

alias rm='rm -i'

The alias command will confirm that rm is now aliased:

Add Alias rm Command
Add Alias rm Command

However, this will only last during the current user session in the current shell. To make the change permanent, you will have to save it to ~/.bashrc (some distributions may use ~/.profile instead) as shown below:

Add Alias Permanently in Linux
Add Alias Permanently in Linux

In order for the changes in ~/.bashrc (or ~/.profile) to take effect immediately, source the file from the current shell:

. ~/.bashrc
Active Alias in Linux
Active Alias in Linux

The forensics tool – Foremost

Hopefully, you will be careful with your files and will only need to use this tool while recovering a lost file from an external disk or USB drive.

However, if you realize you accidentally removed a file in your system and are going to panic – don’t. Let’s take a look at foremost, a forensics tool that was designed for this kind of scenarios.

To install foremost in CentOS/RHEL 7, you will need to enable Repoforge first:

# rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm
# yum install foremost

Whereas in Debian and derivatives, just do

# aptitude install foremost

Once the installation has completed, let’s proceed with a simple test. We will begin by removing an image file named nosdos.jpg from the /boot/images directory:

# cd images
# rm nosdos.jpg

To recover it, use foremost as follows (you’ll need to identify the underlying partition first – /dev/sda1 is where /boot resides in this case):

# foremost -t jpg -i /dev/sda1 -o /home/gacanepa/rescued

where /home/gacanepa/rescued is a directory on a separate disk – keep in mind that recovering files on the same drive where the removed ones were located is not a wise move.

If, during the recovery, you occupy the same disk sectors where the removed files used to be, it may not be possible to recover anything. Additionally, it is essential to stop all your activities before performing the recovery.

After foremost has finished executing, the recovered file (if recovery was possible) will be found inside the /home/gacanepa/rescued/jpg directory.

Summary

In this article we have explained how to avoid removing a file accidentally and how to attempt to recover it if such an undesired event happens. Be warned, however, that foremost can take quite a while to run depending on the size of the partition.

As always, don’t hesitate to let us know if you have questions or comments. Feel free to drop us a note using the form below.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Gabriel Cánepa
Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

9 Comments

Leave a Reply
  1. I had the same problem two years ago and I tried a lot of programs, like debugfs, photorec, ext3grep and extundelete. ext3grep was the best program to recover files.

    The syntax is very easy:

    # ext3grep image.img --restore-all
    OR
    # ext3grep /dev/sda3 --restore-all --after date -d '2015-01-01 00:00:00' '+%s' --before `date -d ‘2015-01-02 00:00:00’ ‘+%s’
    

    This video (https://youtu.be/XZTXcGVFgiE) is a mini tutorial that can help you.

    Reply
  2. How do you recover all files and directories in a folder when deleted by rm -r * and not just one file? using redhat enterprise 6.6.

    Thank you

    Reply
  3. Gabriel Hello,

    Here Romualdo from Malaga (Spain). Look, a simple detail, you’ve eaten a “c” in the command. ~/.bashrc For the changes to take effect immediately.

    I want to congratulate you because all your articles are great, of whom I am one of your many fans.

    Receives a warm greeting.
    Romu.

    Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.